T-Mobile Austria認証済みアカウント

Hi @c_pellegrino, I really do not get why this is a problem. You have so many passwords for evey app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear. ^Käthe

Well, what if your infrastructure gets breached and everyone’s password is published in plaintext to the whole wide world?

@Korni22 What if this doesn't happen because our security is amazingly good? ^Käthe

Bad news for you Käthe, nobody’s security is that good. No, not even yours. It’s not that I say you are 100% getting hacked - what if an employee accesses the database directly?

@Korni22 Excuse me? Do you have any idea how telecommunication companies work? Do you know anything about our systems? But I'm glad you have the time to share your view with us. ^Käthe

Well, I do since I worked for @deutschetelekom, but thanks for asking. 3 years of something that’s called „Ausbildung“ a bit more as contractor.

@Korni22 So, you never worked for us in Austria though. But thank you very much for sharing your opinion. ^Käthe

In fact: you do not need the password. A non reversible, salted hash of that password is enough. @1und1 sent me my password by mail some years back and their support was just as oblivious. My post didn't explode back then. They opened a ticket but I never heard back.

Oh wow, 1und1 By the way, this thread had failed to get any public attention, too, until @troyhunt happened to retweet it

@TMobile_CZE - can you please confirm that this practice is / isn't the same for customers in CZ?

How has this not been deleted yet

oh god its still here

Storing passwords in plain text violates the GDPR EU regulation going into effect on May 25. If you still store plain text passwords you can be fined 6% of global (t-mobile as a whole) profits.

That’s pure BS.

Are you challenging just the 6 % global fine thing or the whole tweet?

Various things, but here in particular, the GDPR violation. It is completely unrelated. Many companies use a personal data to identify customers at the phone (eg C/C use birth date) which would actually be much more GDPR challenging.

No personal data = nothing to do with GDPR. Rule number 1 of GDPR, but seems many fails on the basics. Password encryption is written nowhere in the law (neither is any technical measure for what matters)

I also suspect a not complete comprehension of the fine calculation when I read of "T-mobile as a whole". GDPR talks about worldwide revenue, not putting together different operators which happens to have a common brand. In this case would be WW revenue of T-Mobile Austria.

"poche idee ma confuse" (cit.)

I see. Thanks for elaborating!